Mozilla rushes to patch active Firefox zero-day targeting Tor users

A security flaw in Firefox? That's unusual, isn't it?

MOZILLA rushed out a patch for a critical security flaw affecting Firefox 49 and 50 this week, just as a new exploit for an even bigger security flaw was uncovered that targets those using the browser with Tor.

The zero-day flaw exploits a heap overflow bug and enables malicious code to be run on targeted Windows PCs. Over on the official Tor website, the flaw was verified by Tor co-founder Roger Dingledine. It consists of one HTML and one CSS file.

Dingledine confirmed that Mozilla is already working on a patch to fix the flaws.

"It sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update," he said. "And somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser."

According to security specialists, the payload of the exploit is almost identical to one used by the FBI in 2013 to de-anonymise and identify the IP addresses of people visiting a child-rape website.

"When I first noticed the old shellcode was so similar, I had to double check the dates to make sure I wasn't looking at a three-year-old post," suggested one security specialist.

While the exploit takes advantage of a heap overflow flaw, it requires Javascript to be enabled on the web browser. It is always recommended to switch Javascript off when using Tor if maximum security is required because of the security risks.

Currently, the exploit code points to IP address 5.39.27.226, which is a server hosted by OVH in France, which makes it unlikely that the FBI (or any other US agency) is behind it.

Just days before this exploit was outed, Mozilla patched another critical flaw that enabled an attacker to take control of a targeted PC - and that came just two weeks after another major patch for the open-source web browser.

In an advisory published this week along with the patch, the Mozilla Foundation admitted that the flaw "can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them." µ